CVE-2017-14883

Vulnerability

In the function wma_unified_power_debug_stats_event_handler() used in Android for MSM, Firefox OS for MSM, and QRD Android, an integer overflow vulnerability exists. When param_buf->num_debug_register received from the FW command buffer approaches the maximum value of uint32, the computation of stats_registers_len overflows to a smaller value. This leads to insufficient memory allocation for power_stats_results, enabling a heap buffer overflow when copying the FW buffer to the local buffer. The issue affects builds prior to 2017-10-18 for these platforms, including Pixel devices as referenced in the February 2018 Security Bulletin [1].

Exploitation

An attacker with the ability to send a malformed FW command buffer to the WLAN subsystem can trigger the integer overflow. The attack requires the ability to control the num_debug_register field in the FW buffer. No authentication or user interaction is needed if the attacker has local or wireless proximity access to deliver the crafted buffer. The overflow occurs during the kernel-space event handler processing, making it reachable from a local user or via modified firmware.

Impact

Successful exploitation results in a heap buffer overflow, allowing the attacker to overwrite adjacent kernel memory. This can lead to escalation of privileges from a unprivileged process to kernel-level code execution (same as the affected component), potentially granting full control over the device. The impact includes compromise of confidentiality, integrity, and availability.

Mitigation

Google released fixes in the Pixel/Nexus Security Bulletin for February 2018 [1]. Affected devices should apply the Android security update level 2018-02-01 or later. For other platforms (MSM, Firefox OS for MSM, QRD Android), the fix date is 2017-10-18. No workarounds are documented; updating to a patched build is the only mitigation.